b'        U.S. Department of Energy\n        Office of Inspector General\n        Office of Audit Services\n\n\n\n\nEvaluation Report\nThe Department\'s Unclassified\nCyber Security Program - 2009\n\n\n\n\nDOE/IG-0828                      October 2009\n\x0c                             Department of Energy\n                                Washington, DC 20585\n                                    October 16, 2009\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                    Gregory H. Friedman\n                         Inspector General\nSUBJECT:                INFORMATION: Evaluation Report on "The Department\'s\n                        Unclassified Cyber Security Program"\n\n\n\nBACKGROUND\n\nIndustry experts report that security challenges and threats are continually evolving as\nmalicious activity has become more web-based and attackers are able to rapidly adapt\ntheir attack methods. In addition, the number of data breaches continues to rise. In an\neffort to mitigate and address threats and protect valuable information, the Department of\nEnergy anticipated spending about $275 million in Fiscal Year (FY) 2009 to implement\ncyber security measures necessary to protect its information technology resources. These\nsystems and data are designed to support the Department\'s mission and business lines of\nenergy security, nuclear security, scientific discovery and innovation, and environmental\nresponsibility.\n\nThe Federal Information Security Management Act of 2002 (FISMA) provides direction\nto agencies on the management and oversight of information security risks, including\ndesign and implementation of controls to protect Federal information and systems. As\nrequired by FISMA, the Office of Inspector General conducts an annual independent\nevaluation to determine whether the Department\'s unclassified cyber security program\nadequately protects its information systems and data. This memorandum and the\nattached report present the results of our evaluation for FY 2009.\n\nRESULTS OF EVALUATION\n\nThe Department continued to make incremental improvements in its unclassified cyber\nsecurity program. Our evaluation disclosed that most sites had taken action to address\nweaknesses previously indentified in our FY 2008 evaluation report. They improved\ncertification and accreditation of systems; strengthened configuration management of\nnetworks and systems; performed independent assessments; and, developed and/or\nrefined certain policies and procedures. In addition, the Department instituted a\ncentralized incident response organization designed to eliminate duplicative efforts\nthroughout the Department. As we have noted in previous reports, the Department\ncontinued to maintain strong network perimeter defenses against malicious intruders and\nother externals threats.\n\x0c                                             2\n\nThese are positive accomplishments. However, in our judgment, additional action is\nrequired to further enhance the Department\'s unclassified cyber security program and\nhelp reduce risks to its systems and data. For example, our current review identified\nopportunities for improvements in areas such as security planning and testing, systems\ninventory, access controls, and configuration management. In particular, we issued a\nnumber of findings at sites managed by the National Nuclear Security Administration\n(NNSA). We also identified weaknesses across various Department program elements.\nIssues that warrant further attention include:\n\n\n   \xe2\x80\xa2   Weaknesses such as outdated security plans and not completing annual security\n       control self-assessments were identified at several sites;\n\n   \xe2\x80\xa2   The Department had not yet resolved systems inventory issues and had yet to\n       deploy a complex-wide automated asset management tool to help track\n       information technology resources and identify interfaces between systems or\n       networks;\n\n   \xe2\x80\xa2   Although certain improvements had been made to enhance access controls, we\n       noted deficiencies such as a lack of periodic account reviews and inadequate\n       password management at a number of sites; and,\n\n   \xe2\x80\xa2   Previously identified weaknesses in configuration management had been\n       corrected, however, we found problems related to weak administrator account\n       settings and failure to install software patches, as well as incomplete\n       implementation of the Federal Desktop Core Configuration.\n\nThese internal control weaknesses existed, at least in part, because certain cyber security\nroles and responsibilities were not clearly delineated. Program officials also had not\neffectively performed monitoring and review activities essential for evaluating the\nadequacy of cyber security performance. In some cases, officials had not ensured that\nweaknesses discovered during audits and other evaluations were recorded and tracked to\nresolution in the organizations\' Plans of Action and Milestones. Our testing disclosed\nthat about 39 percent of existing corrective action milestones had missed estimated\nremediation dates, with many exceeding planned completion dates by at least one year.\nAs a consequence, the risk of compromise to the Department\'s information and systems\nremained higher than necessary.\n\n\nTo assist the continuing efforts to improve, we made several recommendations designed\nto help the Department\'s managers to strengthen the unclassified cyber security program\nand, thereby, protect its computer resources from unauthorized modification, loss, or\ndisclosure of information.\n\n\nDue to security considerations, information on specific vulnerabilities and locations has\nbeen omitted from this report. Management officials at the sites evaluated were provided\n\x0c                                             3\n\nwith detailed information regarding identified vulnerabilities, and, in many instances,\ninitiated corrective actions.\n\n\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s recommendations and disclosed that it had\ninitiated or already completed actions to address weaknesses identified in our report. In\nseparate comments, the NNSA neither concurred nor disagreed with our specific\nrecommendations. However, the NNSA disclosed that it generally agreed with the report\ncontent. Management\'s comments are included in their entirety in Appendix 3.\n\nAttachment\n\ncc: Deputy Secretary\n    Administrator, National Nuclear Security Administration\n    Under Secretary for Science\n    Under Secretary of Energy\n    Director, Office of Health, Safety and Security\n    Chief of Staff\n    Chief Information Officer\n\x0cEVALUATION REPORT ON THE DEPARTMENT\'S UNLCASSIFIED\nCYBER SECURITY PROGRAM - 2009\n\n\nTABLE OF\nCONTENTS\n\nUnclassified Cyber Security Program\n\nDetails of Finding ................................................................................................................1\n\nRecommendations and Comments.......................................................................................8\n\n\nAppendices\n\n1. Objective, Scope, and Methodology............................................................................10\n\n2. Prior Reports ................................................................................................................12\n\n3. Management Comments ..............................................................................................17\n\x0cUnclassified Cyber Security Program\n\nProgram               The Department of Energy (Department or DOE) continued\nImprovements          to make incremental progress over the past year in addressing\n                      previously identified cyber security weaknesses and enhancing\n                      its unclassified cyber security program. For instance, we noted\n                      that actions had been taken to correct seven of nine findings\n                      identified during our evaluation of The Department\'s\n                      Unclassified Cyber Security Program \xe2\x80\x93 2008 (DOE/IG-0801,\n                      September 2008). In particular, the Office of Science\n                      (Science) and Under Secretary of Energy program elements\n                      took action to close all of their findings previously identified\n                      by the Office of Inspector General (OIG). In addition, the\n                      National Nuclear Security Administration (NNSA) closed four\n                      of six findings from last year. Specific actions taken included:\n\n                         \xe2\x80\xa2   Improvements in the area of certification and\n                             accreditation activities at various sites, including\n                             updating security plans to account for current controls\n                             and correcting deficiencies identified through control\n                             testing;\n\n                         \xe2\x80\xa2   Deployment of independent certification agents at sites\n                             to perform and validate security control testing results;\n\n                         \xe2\x80\xa2   Six sites had updated certain security policies and\n                             procedures related to self-assessments, independent\n                             assessments, and access controls to correct deficiencies\n                             identified during last year\'s evaluation;\n\n                         \xe2\x80\xa2   Correcting configuration management vulnerabilities\n                             such as implementing a new process for updating\n                             network services and performing regular vulnerability\n                             scans; and,\n\n                         \xe2\x80\xa2   Instituting a centralized incident response organization\n                             that eliminated duplicative efforts throughout the\n                             Department.\n\nManaging Cyber        As noted above, the Department continued to improve the\nRelated Risks         management of its cyber security program. For example,\n                      similar to last year, our evaluation disclosed that the number of\n                      overall findings issued to the Department related to risk\n                      management had significantly decreased from prior years. In\n                      particular, we did not identify any significant issues related to\n                      contingency planning or system categorization during our\n                      current evaluation. We did, however, determine that additional\n                      improvements are possible and should help to further reduce\n\n________________________________________________________________\nPage 1                                            Details of Finding\n\x0c                      the risk of compromise to the agency\'s information systems and\n                      data. In particular, we identified weaknesses in the areas of\n                      security planning and testing and maintaining a complete\n                      systems inventory. These processes are essential for ensuring a\n                      complete and effective risk management strategy for protecting\n                      information technology (IT) systems and data.\n\n                                       Security Planning and Testing\n\n                      Security planning and testing are critical activities that support\n                      a risk management process and are an integral part of an\n                      agency\'s information security program. However, as identified\n                      in our reports on Cyber Security Risk Management Practices at\n                      the Southeastern, Southwestern, and Western Area Power\n                      Administrations (DOE/IG-0805, November 2008), and Cyber\n                      Security Risk Management Practices at the Bonneville Power\n                      Administration (DOE/IG-0807, December 2008), the Power\n                      Marketing Administrations (PMAs) had allowed many security\n                      plans to expire or had not developed security plans for all\n                      applicable systems. While these same weaknesses were\n                      reported in our prior Federal Information Security Management\n                      Act (FISMA) evaluation, we noted that a number of the\n                      deficiencies had yet to be corrected. A comprehensive system\n                      security plan is essential for agency officials to determine that\n                      all system risks have been fully considered and necessary\n                      mitigating controls are in place.\n\n                      Additionally, certain PMAs had not always completed annual\n                      self-assessments of security controls. For example, one PMA\n                      did not perform physical testing of controls but rather relied\n                      upon discussion of the controls to determine whether they were\n                      properly implemented and operating as intended. In another\n                      instance, a PMA mistakenly relied on the Department\'s Office\n                      of Health, Safety and Security (HSS) to satisfy the certification\n                      requirements for all systems even though HSS did not test all\n                      applicable National Institute of Standards and Technology\n                      (NIST) controls and its inspections were not meant to be a\n                      substitute for certification testing.\n\n                                             Systems Inventory\n\n                      Although identified as a problem for the past several years, the\n                      Department had not yet resolved systems inventory related\n                      weaknesses. Specifically, the Department\'s current systems\n                      inventory process consists of an annual data call to sites and\n                      organizations. During this process, the Department relies\n                      completely on programs and contractors to self-report their\n________________________________________________________________\nPage 2                                            Details of Finding\n\x0c                      inventory. However, the Office of the Chief Information\n                      Officer (OCIO) conducts only limited verification to check the\n                      consistency of information reported quarterly. An accurate and\n                      complete inventory of the Department\'s information resources\n                      is needed to plan for and institute appropriate protective\n                      measures for its systems, especially those that contain sensitive\n                      and personally identifiable information (PII).\n\n                      In addition, as we reported last year, the Department had not\n                      deployed a complex-wide automated asset management tool to\n                      help track systems and identify interfaces between systems or\n                      networks. The online tool chosen as a solution by the\n                      Department, initiated in 2007, was to provide the capability to\n                      capture systems inventory information, but delays continue to\n                      push back full implementation. An OCIO official anticipated\n                      sites and programs would be required to use the new system by\n                      the third quarter of Fiscal Year (FY) 2010. Although not a\n                      Federal requirement, an automated asset management tool \xe2\x80\x93\n                      when fully implemented \xe2\x80\x93 could assist the Department in not\n                      only FISMA reporting but also in areas such as risk\n                      management, capital planning, and configuration management.\n\nSecurity Controls     While many of the security control deficiencies reported\n                      during our previous evaluation had been corrected, we issued\n                      six findings during our current review related to access controls\n                      and/or configuration management. These controls help prevent\n                      unauthorized access and modification to information systems\n                      and data from both internal and external sources. Based on our\n                      testing, we found that weaknesses in these areas existed at a\n                      number of sites. In a number of instances, site officials took\n                      action to correct weaknesses soon after we brought them to\n                      their attention. However, as described below, various\n                      weaknesses remain.\n\n                                              Access Controls\n\n                      The Department continued to experience access control\n                      weaknesses for its information systems. Access controls\n                      consist of both physical and logical measures designed to\n                      protect information resources from unauthorized modification,\n                      loss, or disclosure. To ensure that only authorized individuals\n                      can gain access to networks or systems, controls of this type\n                      need to be strong and functional. Although one site closed an\n                      access control finding identified during last year\'s review, we\n                      noted that control weaknesses continued to exist at multiple\n                      sites, including:\n\n________________________________________________________________\nPage 3                                            Details of Finding\n\x0c                         \xe2\x80\xa2   Eight sites had default or weak account credentials such\n                             as usernames and passwords. In addition, passwords\n                             were not always changed or locked out according to\n                             Department policy. While deficiencies at six of these\n                             sites were corrected immediately after we pointed them\n                             out, the failure to fully implement corrective actions at\n                             the two remaining sites increased the risk of exposure\n                             of sensitive information to users with malicious intent.\n                             For example, the default vendor-supplied administrator\n                             user identification and password were not disabled or\n                             changed after the installation of a test system at one\n                             site. This weakness could have permitted an\n                             unauthorized user to access multiple systems by using\n                             the system administrator\'s user identification and\n                             password;\n\n                         \xe2\x80\xa2   Two sites had not conducted timely periodic\n                             management reviews of user accounts and related\n                             access privileges. For instance, one site had not\n                             conducted such a review in more than a year, limiting\n                             its ability to effectively monitor changes in access\n                             privileges. In another case, access levels at one site\n                             were not periodically reconciled with documented\n                             requirements. Management review of user accounts\n                             and related access privileges is essential to determining\n                             whether users who no longer have a valid need for\n                             information resources because of job changes or\n                             resignations had their access removed in a timely\n                             manner; and,\n\n                         \xe2\x80\xa2   As disclosed in our report on Protection of the\n                             Department of Energy\'s Unclassified Sensitive\n                             Electronic Information (DOE/IG-0818, August 2009),\n                             access controls over laptop computers taken on foreign\n                             travel from one site were not adequate. Specifically,\n                             logical security assessments to identify potential\n                             infections from malware were not conducted prior to\n                             accessing the site\'s network after returning from travel.\n                             As a result, the site\'s network was subjected to potential\n                             exploitation if the laptop had been compromised while\n                             on foreign travel.\n\n\n\n\n________________________________________________________________\nPage 4                                            Details of Finding\n\x0c                                          Configuration Management\n\n                             Although actions were taken to mitigate configuration\n                             management findings identified during our FY 2008\n                             review, we identified additional weaknesses at a\n                             number of Department sites this year. These\n                             weaknesses included software vulnerabilities and\n                             deficiencies in implementing common security\n                             configurations. Configuration management controls are\n                             an integral component of a strong security policy and\n                             help to ensure that computer applications and systems\n                             are consistently configured with minimum security\n                             standards to prevent and protect against unauthorized\n                             modifications. However, our review disclosed that:\n\n                                \xe2\x80\xa2   Nine sites were using outdated network services\n                                    or were missing security patches, including one\n                                    site where software vulnerabilities identified by\n                                    the manufacturer in 2007 were not patched even\n                                    though fixes were available to correct the\n                                    weakness. This vulnerability could have\n                                    allowed unauthorized access to system\n                                    administrator functions on any of the systems\n                                    running the software;\n\n                                \xe2\x80\xa2   At one site, a server containing human resources\n                                    data, including PII, was connected to the\n                                    network with a configuration that permitted any\n                                    user on the network to access the data through\n                                    an anonymous connection. During our\n                                    testwork, we were able to exploit this\n                                    vulnerability to obtain privacy data; and,\n\n                                \xe2\x80\xa2   Six sites used software configurations that were\n                                    not secure, a practice that could result in the\n                                    compromise of system administrator account\n                                    credentials and ultimately allow unauthorized\n                                    access to other internal systems.\n\n                      In addition, numerous sites had not implemented the Federal\n                      Desktop Core Configuration (FDCC) mandated by the Office\n                      of Management and Budget. While the FDCC was designed\n                      to, among other things, make information systems more secure,\n                      we identified that seven Science field sites reviewed had\n                      implemented security configurations that were less\n\n\n________________________________________________________________\nPage 5                                            Details of Finding\n\x0c                      stringent than those included in the FDCC. Furthermore, our\n                      current evaluation noted that although most Under Secretary of\n                      Energy and NNSA sites reviewed had implemented FDCC,\n                      certain sites were still working to meet the requirements. We\n                      recognize that the FDCC may not be appropriate in certain\n                      scientific or research environments and accounted for these\n                      circumstances in our review.\n\nCyber Security        The problems identified occurred, at least in part, because\nManagement Program    certain cyber security roles and responsibilities had not been\n                      clearly delineated. In addition, programs and sites had not\n                      effectively conducted performance monitoring of cyber\n                      security performance and ensured that Plans of Action &\n                      Milestones (POA&M) were used effectively.\n\n                                               Coordination\n\n                      The OCIO and NNSA had made extensive efforts to coordinate\n                      the transition of a number of sites to the Department of\n                      Energy\'s Common Operating Environment (DOE-COE), an\n                      initiative launched by the Department to consolidate all aspects\n                      of common IT systems that had previously been managed\n                      separately by various organizations. However, we noted that\n                      certain roles and responsibilities related to the transition were\n                      not clearly delineated and contributed to three of the eight\n                      weaknesses identified during our review. For example,\n                      responsibility for certain areas were unclear and, therefore,\n                      some required functions were not completed while the\n                      performance of other less pressing functions were omitted\n                      altogether. In response to the weaknesses we identified,\n                      officials stated they were developing corrective action plans\n                      and expected to remedy the specific weaknesses by the end of\n                      the Fiscal Year.\n\n                                         Performance Monitoring\n\n                      As noted in previous evaluations, Department management had\n                      not effectively performed monitoring and review activities\n                      essential for evaluating the adequacy of cyber security\n                      performance and had not ensured that POA&Ms were always\n                      used effectively. For example, certain program-level cyber\n                      security representatives stated that a lack of resources\n                      prevented them from performing effective oversight within\n                      their respective programs. As such, they relied on reviews\n                      conducted by the OIG, Government Accountability Office, and\n                      HSS to help with monitoring activities and address related\n\n________________________________________________________________\nPage 6                                            Details of Finding\n\x0c                      cyber security weaknesses. While these independent\n                      organizations may make recommendations for improving\n                      controls, the reviews they perform are not a substitute for an\n                      effective internal control and management review structure.\n                      Rather, management is responsible for providing adequate\n                      oversight.\n\n                      Furthermore, despite concurring with previous OIG\n                      recommendations, NNSA had not fully implemented an\n                      adequate periodic evaluation mechanism to ensure the\n                      effectiveness of field sites in carrying out their responsibilities\n                      for proper implementation of Federal cyber security\n                      requirements. NNSA informed us during the course of our\n                      evaluation that it had developed an aggressive assessment\n                      schedule for FY 2010 that, if adhered to, should further\n                      enhance its performance monitoring program.\n\n                      As with past reviews, we identified problems regarding the use\n                      of POA&Ms as a management tool for tracking and correcting\n                      all known cyber security weaknesses. In particular:\n\n                          \xe2\x80\xa2   Although the Department was working to implement\n                              corrective actions, five of nine cyber security\n                              weaknesses identified during our FY 2008 evaluation\n                              were not included in the Department\'s POA&M;\n\n                          \xe2\x80\xa2   Our evaluation identified that POA&Ms did not contain\n                              all cyber security weaknesses identified by oversight\n                              organizations, including numerous security related OIG\n                              reports; and,\n\n                          \xe2\x80\xa2   We identified that about seven percent of open\n                              milestones captured in the POA&Ms were at least one\n                              year beyond their projected remediation date, including\n                              one that was more than four years beyond its target\n                              date.\n\n                      As noted in NIST guidance, POA&Ms are important for\n                      managing an entity\'s progress towards eliminating gaps\n                      between required security controls and those that are actually\n                      in place.\n\nResources and Data    During FY 2009, the Department took a number of steps\nRemain at Risk        designed to improve its cyber security program. However,\n                      weaknesses continue to exist in key areas. As demonstrated by\n                      recent HSS penetration testing, Departmental systems and\n\n________________________________________________________________\nPage 7                                            Details of Finding\n\x0c                     information remain vulnerable to attack and exploitation.\n                     Specifically, HSS was able to gain access to large network\n                     segments at two national laboratories managed by Science and\n                     exfiltrated significant quantities of sensitive information,\n                     including PII. Notably, at least two other sites detected the\n                     attack and prevented HSS from gaining network access.\n\n                     The importance and need for sustained action is well\n                     demonstrated by industry experts who report that the number\n                     of new malicious code threats increased over 1,000 percent\n                     from 2006 to 2008. The Department also reported a 39 percent\n                     increase in the number of total incidents between FYs 2008 and\n                     2009. While this increase may represent enhanced reporting, it\n                     also demonstrates the need to continuously improve detection\n                     capabilities and cyber security awareness. In addition, the\n                     Department reported that the number of attempted intrusions of\n                     its networks had increased rapidly between 2006 and 2008. As\n                     such, sites must remain vigilant if they are to maintain their\n                     ability to thwart potential attacks from internal and external\n                     threats.\n\nRECOMMENDATIONS      To correct the weaknesses identified in this report and improve\n                     the effectiveness of the Department\'s cyber security program,\n                     we recommend that the Department and the NNSA Chief\n                     Information Officers, in coordination with the cognizant\n                     program elements, as appropriate:\n\n                        1. Correct, through the implementation of management,\n                           operational, and technical controls, each of the specific\n                           vulnerabilities identified in this report;\n\n                        2. Ensure effective coordination of efforts and\n                           responsibilities between the OCIO and programs during\n                           DOE-COE implementation at field sites;\n\n                        3. Perform compliance monitoring activities to ensure the\n                           adequacy of cyber security program performance; and,\n\n                        4. Ensure that POA&Ms are complete and are utilized as a\n                           management tool for prioritizing corrective actions and\n                           tracking all known cyber security weaknesses to\n                           completion.\n\n\n\n\n________________________________________________________________\nPage 8                              Recommendations and Comments\n\x0cMANAGEMENT           Management concurred with each of the report\'s\nREACTION             recommendations and provided technical comments on the\n                     content of the report. Management added that it had initiated\n                     or completed corrective actions designed to address\n                     weaknesses identified during our review. Management noted\n                     that it continues to focus attention on coordination efforts\n                     related to DOE-COE implementation. In addition,\n                     management disclosed that it continues to work towards\n                     automating the complex-wide FISMA reporting process.\n\n                     In separate comments, the NNSA did not specifically indicate\n                     whether it agreed with our recommendations. However,\n                     NNSA disclosed that it generally agreed with the report\n                     content, but requested more specificity in certain areas. In\n                     addition, NNSA commented that it did not agree with the\n                     report finding that it had not fully implemented an adequate\n                     periodic evaluation mechanism. NNSA added that it was\n                     working to procure and deploy an asset management tool as\n                     part of its overall continuous monitoring program.\n\nAUDITORS             Management\'s comments were responsive to our\nCOMMENTS             recommendations. However, because the NNSA did not\n                     indicate whether it agreed with our recommendations, we\n                     consider NNSA\'s comments to be non-responsive. Regarding\n                     NNSA\'s comment that greater specificity is needed in the\n                     report, NNSA Headquarters and Site Office officials were\n                     provided with a copy of each of the findings related to its\n                     program during our review. NNSA concurred with all but one\n                     of the findings, which has since been closed and is not\n                     discussed in this report. In addition, NNSA provided\n                     corrective action plans in response to each of the findings.\n                     Although NNSA\'s comments disclosed that it did not agree\n                     with the report finding related to implementation of an\n                     adequate periodic evaluation mechanism, NNSA specifically\n                     concurred with our finding and recommendation related to this\n                     area at the time of our review. Management\'s and NNSA\'s\n                     comments are included in their entirety in Appendix 3.\n\n\n\n\n________________________________________________________________\nPage 9                              Recommendations and Comments\n\x0cAppendix 1\n\nOBJECTIVE                 To determine whether the Department of Energy\'s (DOE or\n                          Department) unclassified cyber security program adequately\n                          protected data and information systems.\n\nSCOPE                     The evaluation was performed between February 2009 and\n                          September 2009 at numerous locations. Specifically, we\n                          performed an assessment of the Department\'s unclassified\n                          cyber security program. The evaluation included a limited\n                          review of general and application controls in areas such as\n                          entity-wide security planning and management, access\n                          controls, application software development and change\n                          controls, and service continuity. Our work did not include a\n                          determination of whether vulnerabilities found were actually\n                          exploited and used to circumvent existing controls. The\n                          Health, Safety and Security Office of Independent Oversight\n                          performed a separate evaluation of the Department\'s\n                          information security program for National Security Systems.\n\nMETHODOLOGY               To accomplish the audit objective, we:\n\n                              \xe2\x80\xa2   Reviewed applicable laws and directives pertaining to\n                                  cyber security and information technology resources\n                                  such as the Federal Information Security Management\n                                  Act of 2002, Office of Management and Budget\n                                  Circular A-130 (Appendix III), and DOE Order 205.1A,\n                                  Department of Energy Cyber Security Management;\n\n                              \xe2\x80\xa2   Reviewed applicable standards and guidance issued by\n                                  the National Institute of Standards and Technology;\n\n                              \xe2\x80\xa2   Reviewed the Department\'s overall cyber security\n                                  program management, policies, procedures, and\n                                  practices throughout the organization;\n\n                              \xe2\x80\xa2   Assessed controls over network operations and systems\n                                  to determine the effectiveness related to safeguarding\n                                  information resources from unauthorized internal and\n                                  external sources;\n\n                              \xe2\x80\xa2\n                           Evaluated selected Headquarters\' offices and field sites\n                           in conjunction with the annual audit of the\n                           Department\'s Consolidated Financial Statements,\n                           utilizing work performed by KPMG LLP (KPMG), the\n                           Office of Inspector General (OIG) contract auditor.\n                           KPMG work included analysis and testing of general\n                           and application controls for systems as well as\n                           vulnerability and penetration testing of networks; and,\n________________________________________________________________\nPage 10                                Objective, Scope and Methodology\n\x0cAppendix 1 (continued)\n\n                         \xe2\x80\xa2   Reviewed and incorporated the results of other cyber\n                             security review work performed by the OIG, the\n                             Department\'s Office of Independent Oversight, and the\n                             Government Accountability Office.\n\n                      The evaluation was conducted in accordance with generally\n                      accepted Government auditing standards for performance\n                      audits. Those standards require that we plan and perform the\n                      effort to obtain sufficient, appropriate evidence to provide a\n                      reasonable basis for our finding and conclusions based on our\n                      objective. We believe that the evidence obtained provides a\n                      reasonable basis for our finding and conclusions based on our\n                      objective. Accordingly, we assessed significant internal\n                      controls and the Department\'s implementation of the\n                      Government Performance and Results Act of 1993 and\n                      determined that it had established performance measures for\n                      unclassified cyber security. Because our evaluation was\n                      limited, it would not have necessarily disclosed all internal\n                      control deficiencies that may have existed at the time of our\n                      evaluation. We did not rely solely on computer-processed data\n                      to satisfy the objective of the evaluation. However, computer-\n                      assisted audit tools were used to perform probes of various\n                      networks and drives. We validated the results of the scans by\n                      confirming the weaknesses disclosed with responsible on-site\n                      personnel and performed other procedures to satisfy ourselves\n                      as to the reliability and competence of the data produced by the\n                      tests. In addition, we confirmed the validity of other data,\n                      when appropriate, by reviewing supporting source documents.\n\n                      The Department waived an exit conference.\n\n\n\n\n________________________________________________________________\nPage 11                             Objective, Scope and Methodology\n\x0cAppendix 2\n\n                                   PRIOR REPORTS\n\nOffice of Inspector General Reports\n\n   \xe2\x80\xa2   Protection of the Department of Energy\'s Unclassified Sensitive Electronic\n       Information (DOE-IG-0818, August 2009). Opportunities exist to strengthen the\n       protection of all types of sensitive unclassified electronic information. For\n       example, sites: had not ensured that sensitive information maintained on mobile\n       devices was encrypted or they had improperly permitted sensitive unclassified\n       information to be transmitted unencrypted through email or to offsite backup\n       storage facilities; had not ensured that laptops taken on foreign travel were\n       protected against security treats; and, were still working to complete required\n       Privacy Impact Assessments.\n\n   \xe2\x80\xa2   Management Challenges at the Department of Energy (DOE/IG-0808, December\n       2008). The Office of Inspector General (OIG) identified six significant\n       management challenges facing the Department of Energy (Department), including\n       cyber security. Although the Department had made improvements in its\n       unclassified cyber security program, the OIG continued to identify deficiencies\n       relevant to certification and accreditation (C&A) of systems, contingency\n       planning, systems inventory, and segregation of duties.\n\n   \xe2\x80\xa2   Cyber Security Risk Management Practices at the Bonneville Power\n       Administration (DOE/IG-0807, December 2008). Bonneville had not always\n       appropriately identified and addressed potential risks to critical systems and data,\n       to include systems controlling electricity transmission; developed adequate\n       security plans for each of the four systems reviewed; ensured that physical and\n       cyber security controls were tested and operating as intended; and, developed\n       corrective action plans necessary to resolve weaknesses in a number of important\n       control areas.\n\n   \xe2\x80\xa2   Cyber Security Risk Management Practices at the Southeastern, Southwestern,\n       and Western Area Power Administrations (DOE/IG-0805, November 2008).\n       These Power Marketing Administrations had not always developed adequate\n       security plans for each of the 12 systems reviewed; ensured that physical and\n       cyber security controls were tested and operating as intended; developed\n       corrective action plans necessary to resolve weaknesses in a number of important\n       control areas; and, developed contingency plans to ensure that systems could be\n       recovered in the event of a significant outage.\n\n   \xe2\x80\xa2   The Department\'s Unclassified Cyber Security Program - 2008 (DOE/IG-0801,\n       September 2008). The review identified opportunities for improvements in areas\n       such as C&A of systems; systems inventory; contingency planning; and,\n       segregation of duties. Similar to past observations, these internal control\n       weaknesses existed, at least in part, because not all Department program\n       organizations, including the National Nuclear Security Administration (NNSA),\n       had revised and implemented policies incorporating Federal and Departmental\n       cyber security requirements in a timely manner. Program officials had also not\n________________________________________________________________\nPage 12                                              Prior Reports\n\x0cAppendix 2 (continued)\n\n      effectively performed management review activities essential for evaluating the\n      adequacy of cyber security performance. In some cases, officials had not ensured that\n      weaknesses discovered during audits and other examinations were recorded and\n      tracked to resolution. Risk of compromise to the Department\'s information and\n      systems remained higher than necessary.\n\n  \xe2\x80\xa2   The Department\'s Unclassified Foreign Visits and Assignments Program (DOE/IG-\n      0791, March 2008). Not all NNSA computers assigned to foreign nationals and\n      assignees were properly installed with security features that would prevent one from\n      circumventing security measures such as modifying log-on settings, loading\n      unauthorized software, removing software, and changing computer settings. Some\n      foreign visitors and assignees had unsupervised use of their foreign government,\n      university, or business laptops within laboratory facilities which had live Intranet\n      connections.\n\n  \xe2\x80\xa2   Management of the Department\'s Publicly Accessible Websites (DOE/IG-0789,\n      March 2008). Some of the Department\'s publicly accessible websites did not meet\n      Federal accessibility requirements or contingency planning. Content on publicly\n      accessible web servers was not always controlled and reviewed periodically. This\n      resulted in eight instances that involved personally identifiable information (PII)\n      being exposed to unauthorized or malicious sources. The majority of the\n      organizations failed to implement contingency/emergency planning, provide\n      accessibility to those with disabilities, and limit/disable unneeded computer services\n      due to the lack of guidance from Headquarters and deficiencies in site-level\n      management and control.\n\n  \xe2\x80\xa2   The Department\'s Cyber Security Incident Management Program (DOE/IG-0787,\n      January 2008). Program elements and facility contractors established and operated as\n      many as eight independent cyber security intrusion and analysis organizations whose\n      missions and functions were partially duplicative and not well coordinated. Sites\n      could also choose whether to participate in network monitoring activities performed\n      by the organizations. Furthermore, the Department had not adequately addressed\n      related issues through policy changes, despite identifying and acknowledging\n      weaknesses in its cyber security incident management and response program.\n\n  \xe2\x80\xa2   Incident of Security Concern at the Y-12 National Security Complex (DOE/IG-0785,\n      January 2008). An unclassified laptop computer was brought into Y-12\'s limited area\n      without proper authorization, not detained by cyber security personnel, and the\n      written incident report was not completed within 32 hour reporting requirement. An\n      additional 37 laptop computers may have been improperly introduced into the\n      Limited Area by Oak Ridge National Laboratory personnel in recent years with these\n      incidents not properly reported in a timely manner.\n\n  \xe2\x80\xa2   The Department\'s Unclassified Cyber Security Program - 2007 (DOE/IG-0776,\n      September 2007). Problems persisted with the C&A of the Department\'s systems\n      related to assessing risks and ensuring the adequacy of security controls. The\n      Department had not established a complex-wide inventory systems and a number of\n\n___________________________________________________________________\nPage 13                                                  Prior Reports\n\x0cAppendix 2 (continued)\n\n      organizations still had not ensured their contingency plans are in working order.\n      Additional deficiencies were identified that reduce the Department\'s ability to protect\n      its computer resources from unauthorized actions, so the Department could not\n      always ensure the personal information on agency systems was adequately protected.\n      Risk of compromise to the Department\'s information and systems remains higher than\n      acceptable.\n\n  \xe2\x80\xa2   Security Over Personally Identifiable Information (DOE/IG-0771, July 2007). The\n      Department had not identified all site-level systems containing PII or evaluated the\n      risks associated with maintaining such systems; remote access protection measures\n      had not been fully deployed in accordance with Departmental direction; and, some\n      sites had not identified mobile computing devices containing PII nor ensured that\n      such information was encrypted.\n\n  \xe2\x80\xa2   The Department\'s Efforts to Implement Common Information Technology Services at\n      Headquarters (DOE/IG-0763, March 2007). Five major organizations, 40 percent of\n      the total potential user population, were not migrated to the Department\'s Common\n      Operating Environment within the first year as planned, thereby preventing\n      realization of the full $15 million of first year savings. For certain organizations in\n      which implementation was completed, services were not disabled for terminated\n      employees in a timely manner, resulting in the payment of over $700,000 in\n      unnecessary user fees and creating potential cyber security vulnerabilities.\n\n  \xe2\x80\xa2   Excessing of Computers Used for Unclassified Controlled Information at Lawrence\n      Livermore National Laboratory (DOE/IG-0759, March 2007). NNSA delayed\n      having Lawrence Livermore National Laboratory (LLNL) implement Departmental\n      policy on clearing, sanitizing, and destroying memory devices for almost two and a\n      half years after the policy was issued while its Office of the Chief Information Officer\n      (OCIO) drafted a policy letter to provide NNSA sites with specific requirements.\n      This delay caused LLNL to not establish certain site-wide procedures and internal\n      controls necessary to ensure the proper clearing, sanitizing, and destroying of\n      unclassified controlled information on electronic memory devices.\n\n  \xe2\x80\xa2   The National Nuclear Security Administration\'s Implementation of the Federal\n      Information Security Management Act (DOE/IG-0758, February 2007). NNSA did\n      not always properly implement its own guidance as well as Departmental and Federal\n      cyber security requirements and had not performed regular monitoring activities\n      essential to evaluating the adequacy of cyber security program performance.\n      Therefore, NNSA\'s unclassified information systems and networks and the data they\n      contain remain at risk of being compromised, including the possible unlawful\n      diversion of operational data, PII, or other critical information.\n\n  \xe2\x80\xa2   Certification and Accreditation of Unclassified Information Systems (DOE/IG-0752,\n      January 2007). Many of the Department\'s systems were not properly certified and\n      accredited prior to becoming operational. For example, 9 of 14 sites reviewed did not\n      properly access security risks to their systems and did not adequately test and\n      evaluate security controls. In many instances, senior agency officials accredited\n\n___________________________________________________________________\nPage 14                                                  Prior Reports\n\x0cAppendix 2 (continued)\n\n       systems although required documentation was inadequate or incomplete, such as\n       incomplete inventories of software and hardware included within defined\n       accreditation boundaries. The OCIO and program elements did not adequately\n       review completed activities for quality or compliance with requirements.\n\nGovernment Accountability Office Reports\n\n   \xe2\x80\xa2   Information Security: Agencies Continue to Report Progress, but Need to Mitigate\n       Persistent Weaknesses (GAO-09-546, July 2009)\n\n   \xe2\x80\xa2   Federal Information Security Issues (GAO-09-817R, June 30, 2009)\n\n   \xe2\x80\xa2   Cybersecurity: Continued Federal Efforts are Needed to Protect Critical Systems\n       and Information (GAO-09-835T, June 25, 2009)\n\n   \xe2\x80\xa2   Information Security: Agencies Make Progress in Implementation of Requirements,\n       but Significant Weaknesses Persist (GAO-09-701T, May 19, 2009)\n\n   \xe2\x80\xa2   Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at\n       Risk (GAO-09-661T, May 5, 2009)\n\n   \xe2\x80\xa2   National Cybersecurity Strategy: Key Improvements Are Needed to Strengthen the\n       Nation\'s Posture (GAO-09-432T, March 10, 2009)\n\n   \xe2\x80\xa2   Nuclear Security: Los Alamos National Laboratory Faces Challenges In Sustaining\n       Physical and Cyber Security Improvements (GAO-08-1180T, September 25, 2008)\n\n   \xe2\x80\xa2   Information Security: Actions Needed to Better Protect Los Alamos National\n       Laboratory\'s Unclassified Computer Network (GAO-08-1001, September 2008)\n\n   \xe2\x80\xa2   Los Alamos National Laboratory: Long-Term Strategies Needed to Improve Security\n       and Management Oversight (GAO-08-694, June 2008)\n\n   \xe2\x80\xa2   Information Security: Progress Reported, but Weaknesses at Federal Agencies\n       Persist (GAO-08-571T, March 12, 2008)\n\n   \xe2\x80\xa2   Information Security: Although Progress Reported, Federal Agencies Need to\n       Resolve Significant Deficiencies (GAO-08-496T, February 14, 2008)\n\n   \xe2\x80\xa2   Information Security: Protecting Personally Identifiable Information (GAO-08-343,\n       January 2008)\n\n   \xe2\x80\xa2   National Nuclear Security Administration: Security and Management Improvements\n       Can Enhance Implementation of the NNSA Act (GAO-07-428T, January 31, 2007)\n\n   \xe2\x80\xa2   National Nuclear Security Administration: Additional Actions Needed to Improve\n       Management of the Nation\'s Nuclear Programs (GAO-07-36, January 2007)\n\n\n\n___________________________________________________________________\nPage 15                                                  Prior Reports\n\x0cAppendix 2 (continued)\n\nOffice of Health, Safety and Security Reports\n\n   \xe2\x80\xa2   Independent Oversight Inspection of the Unclassified Cyber Security Program at the\n       National Training Center, June 2009\n\n   \xe2\x80\xa2   Independent Oversight Inspection of the Office of Environmental Management\n       Classified and Unclassified Cyber Security Programs at the Savannah River Site,\n       March 2009\n\n   \xe2\x80\xa2   Independent Oversight Unclassified Cyber Security Inspection of the Idaho\n       Operations Office, the Idaho National Laboratory, and the Idaho Cleanup Project,\n       March 2009\n\n   \xe2\x80\xa2   Independent Oversight Unclassified Cyber Security Inspection of the Southeastern\n       Power Administration, February 2009\n\n   \xe2\x80\xa2   Independent Oversight Unclassified Cyber Security Inspection of the Princeton\n       Plasma Physics Laboratory, November 2008\n\n   \xe2\x80\xa2   Independent Oversight Classified and Unclassified Cyber Security Inspection of the\n       Livermore Site Office and the Lawrence Livermore National Laboratory, June 2008.\n\n   \xe2\x80\xa2   Independent Oversight Red Team Activity Report, 2007 Facility Representative\n       Workshop, March 2008.\n\n\n\n\n___________________________________________________________________\nPage 16                                                  Prior Reports\n\x0cAppendix 3\n\n\n\n\n___________________________________________________________________\nPage 17                                         Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n___________________________________________________________________\nPage 18                                         Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n___________________________________________________________________\nPage 19                                         Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n___________________________________________________________________\nPage 20                                         Management Comments\n\x0c                                                             IG Report No. DOE/IG-0828\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Felicia Jones at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                  http://www.ig.energy.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'